Risk Management Failures

I had compiled the attached list of “Risk Management Failures” originally for use in ERM training seminars in 2001. The original version was a list from an article on banking risk management failures (that I can no longer find to credit) combined with a list of insurer failures from my memory.

When I first showed this slide, one seminar participant said that at their Risk Committee meetings, the participants took turns giving a 1 minute summary of the story of various risk management failures. Others have said that they have used a list like this as part of a justification for risk management development.

Over the years, I have sporadically updated the list, adding both more current examples as well as some more historic events as I became aware of them.

There are doubtless many important examples that I am missing. Probably will no longer fit on one slide. (the original version used much larger font size)

So please share your suggestions for additional items that should be added.

Phillip Kingston Carver, managed to buy two insurance companies in 1990 without laying down a cent. He had stripped out $1 million from Occidental and Regal Insurance before the former owners realised they had been had.

In a sad postscript, Carver took the booty in cash and went around paying off his many creditors from a suitcase before the cops caught up with him…

I found reading the input on this thread very interesting, and appreciated your views.

I don’t want to drag this thread too far off its core purpose, but wanted to add a few thoughts.

Defining all of the failures as failures of Risk Management, is probably correct in the broadest of contexts – whether through a misunderstanding of the risk, failure to implement adequate controls or a system or process failure.

The challenges I see most commonly are:

1. The subjective nature of risk – whereby the group think pressure (consciouly or otherwise) an individual to assume a risk is not a risk simply by the nature of group or herd consent. This is seen in Banks buying triple A rated bonds, which were actually worthless – and nobody investigated or really got to the bottom of the true risk because everyone assumed they were fine, simply because everyone else was doing it. This safety in numbers assumption is founded on the often overly subjective nature of risk.

2. Risk awareness is heavily tied to the overall awareness of organisational objectives. Failures often occure because the organisation identifies a risk too late in the game, and therefore cannot respond in time. One primary driver of this is recorded here with the research findings from Epiphany. Less than 3% of personnel typically aware of the organisations objectives presents a significant challenge to effective risk management. Identifying risks at an early stage becomes less likely. It almost requires the risk team to see everything themselves, as even with a risk process in place, if the objectives are not communicated, risks cannot be paired to identify the threat.

This does broaden the scope to some extent on what constitutes a business failure because of poor risk management.

there are six types of risk management failures:
1) Mismeasurement of known risks.
2) Failure to take risks into account.
3) Failure in communicating the risks to top management.
4) Failure in monitoring risks.
5) Failure in managing risks.
6) Failure to use appropriate risk metrics.

According to a report on Bloomberg, BMO expanded trading in natural gas options after prices rose in 2005 following Hurricane Katrina. The bank relied on one broker to price contracts as the portfolio grew, resulting in an “inappropriate level” of options that lost value when there was a decline in the volatility of gas prices, chief executive William Downe said to the wire service. “The steep level of loss was largely a result of incorrect valuation of the commodity portfolio, which masked the rapid escalation of risk and the real cost of the positions. Our commodity trading team did not operate according to standard BMO business practices. Leadership oversight of the business was not as disciplined or rigorous as it could have been,” Downe added.

Managing Risk: Practical Lessons from Recent ‘Failures’ Of EU Insurers
William McDonnell, FSA Occasional Papers, December 2002
In this report a working group of supervisors from 15 European countries dissect recent experiences of failed insurance companies and ‘near misses’across the life and non-life sectors since 1996. The report also assesses supervisory practices aimed at prevention and advance detection. It concludes that internal management problems appear to be the root cause of every failure or near failure; firms need to anticipate how risks can interact in complex ways, including causal links between different types of risk (for instance operational risks and underwriting risk or claims evaluation risk) and unexpected correlations (particularly between certain asset and underwriting risks); and that it is important to strike the right balance between prescriptive rules, principles, incentives and diagnostic tools.

* An approach to assure the firm is attending to all risks;
* A set of expectations among management, shareholders, and the board about which risks the firm will and will not take;
* A set of methods for avoiding situations that might result in losses that would be outside the firm’s tolerance;
* A method to shift focus from “cost/benefit” to “risk/reward”;
* A way to help fulfill a fundamental responsibility of a company’s board and senior management;
* A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming; and
* A language for communicating the firm’s efforts to maintain a manageable risk profile.

Alternatively, we feel ERM is not:

* A method to eliminate all risks;
* A guarantee that the firm will avoid losses;
* A crammed-together collection of longstanding and disparate practices;
* A rigid set of rules that must be followed under all circumstances;
* Limited to compliance and disclosure requirements;
* A replacement for internal controls of fraud and malfeasance;
* Exactly the same for all firms in all sectors;
* Exactly the same from year to year; nor
* A passing fad.

I want to pick up on an earlier point in this thread. These are not all risk management failures. We should be careful not to call every business failure a risk management failure. I think that the desire to do that comes from the mistaken perspective that the risk management function should either 1) be a sort of “super” risk-taker, whose decisions about vetoing risk overrides that of those in the business function or 2) be responsible for all losses since it is risk management’s responsibility, and risk management’s alone, to avoid losses.

The role of risk management should be to define, highlight, and (possibly) quantify the risks of an organization. A risk management failure is where the risk management function fails to perform this task, and *not* where the business decision made based on the information available at the time is incorrect.

For example, the Barings case seems to fall for #1. The risk management function should have informed senior management about the risks involved with rogue traders, and possibly had some input into determining what the appropriate level of controls are over trader authorizations, but ultimately, the restrictions decided on, which would balance control versus other business factors (e.g., system ease of use, cost, etc) is not a risk management function, and the actual carrying out of the controls is a control function, not a risk management function. Even if risk management had determined that operational controls were insufficient, it is not the role of risk management to override the business decision makers and implement the control system that they believe is adequate.

And putting Enron and Worldcom on the list seems to fall for #2. Why are these losses the responsibility of risk management? Maybe the risk management function at an investor who incurred losses was failing, but I’m not sure how risk management is responsible for finding fraud within a company – again, that is a control function.

I haven’t read it carefully yet, but after skimming it does not appear to have any completely new stuff, but this takes the reader step by step through what was done at UBS from mid 2005 through the end of 2007.

So this gives the story in detail in terms of one institution that was in the middle of the subprime situation. Should become a reference to students of risk management failures.

Are there any major stock market crashes missing that were primarily caused by specific events?

The Northridge Earthquake led to a near-failure for 21st Century (was 20th Century) Insurance Company and lead to the creation of CA EQ Authority.

Hurricane Hugo had a big impact too but was more of a wake up call with what ifs such as if Hugo had hit Miami directly.

If we consider including severe cyclical markets, medical malpractice has had several dramatic cycles which have lead to several failures/takeovers and state owned facilities. If we do add it, I suggest it twice. The first major crisis was about 1975. There are several “loss leaders” who imploded or exited that niche that could be listed for the most recent cycle (St. Paul!?).

Workers compensation (pre-Unicover!) and reinsurance might be other areas with risk management “cyclical” failures to consider for the list.

I read this sentence in an article on the net just now. Certainly a risk management model gone bad:

Intense competition between California workers’ comp insurers in the late 1990s – – combined with spiraling medical costs, fraud and abuse — caused more than 20 firms to go bust or leave the state from 2000 to 2003.
Pam

Just to add to the list of Risk Management Failures – find attached a
short report on such a failure.

Basically, a con man managed to use the statutory funds of two life
office to buy the life office. This is a close point for me, as the
gentleman apparently lived down the road from me. Companies were
Occidental and Regal.

On the life office guarantee funds of some time ago in Australia, it was
an interesting case. This is all from memory. The products were not
available at call, but had an ‘up to’ five year lock in period or
thereabouts. Due to competitive pressure this lock in period was
generally not enforced.

The CEO made a big fanfare when they became the largest insurance
company in Australia (by premium income).
When earning rates fell they were forced to change asset mix to 100%
cash, and enforce the lock in period. In effect, it offered a cash rate
on a product sold to pension plans, with a theoretical lock in period of
five years.

The company was not the largest company by premium income for very long,
and was taken over a couple of years later.

Dave,
If risk policies existed but were not enforced, I would see that as a risk management failure, since “enforcement” is an important component of the the risk management function. On the other hand, if there are no risk management policies, or no risk management function, I think that “operational risk” could certainly make sense as a category as you suggest, but would perfer it categorized simply as a risk management failure, since it is a failure in the recognition of risk, and this is the first step to effective risk management.
My other reason for not distinguishing this latter group is that my guess is that there won’t be many “clean” examples in this latter category, since today, virtually everyone at least “talks” the risk management language, and has at least a modest level of investment and effort in the function, if for no other reason than to survive a Board discussion. But as most of us know, such modest efforts are doomed to fail and will ultimately be statistics that is appropriately categorized as a risk management failures, which is to say, failures to recognize and/or adequately address risk.
Bob
Robert R. Reitano
Professor of the Practice in Finance
International Business School
Brandeis University

Just a point of clarification. I titled the original list “Risk Management Failures” not company failures or insolvencies or whatever.

I never tried to produce a crisp definition of a risk management failure, but it would be along the lines of a major losses that might have been preventable by better risk management.

In many of the cases, risk management wasn’t tried. In a few of the cases risk management was in place but risk measures were not adequate to properly inform the risk takers of the exposures or risk policies were not adequately enforced.

I have had an interesting side conversation with one person who wants to classify all of the situations where risk management was not really used as Operational RIsks.

There were some issues with mutual life companies offering guaranteed
policies within the superannuation (pension) system. These policies were
backed by a mix of assets including equities, but the funds were effectively
at call, so there was a very substantial ALM issue. Cash rates at the time
were very high, and so the rates provided under these policies were likewise
quite high, and at the same time the mutual life companies were competing on
rates. No failures resulted, but the balance sheet of one of the companies
was weakened quite considerably when markets moved adversely.

I would add the “Piper Alpha” oil-platform disaster, which knocked out some reinsurers (e.g. a UK PC rein surer belonging to the newly-formed ING) who didn’t have a good understanding of their risk accumulations due spiraling retrocessions.

I notice that you don’t have any failures for 1990. Find attached a brief summary of the failure of Occidental and Regal (two Australian life companies). Basically, a con-man (Phillip Carver) used the statutory funds of one of the life companies to buy the two companies. Search the doc for ‘Occidental’ for a brief summary.

fsi.treasury.gov.au/content/downloads/suppsubs/66.pdf

Steve.

BTW – commodities houses have also had difficulties – Metallgeschaft for example, to complement ENRON.

Finally, the list contains both events (Asian Flu) and insolvencies (LTCM). I would argue that events will always happen – they are not the failure of a firm’s risk management capability. The exposure to the event, leading to insolvency of an organisation, represents a failure.

I would add to Dave’s list the failure of UK insurers Vehicle and General (in 1971) and Independent (in 2001). The former is well chronicled (there was a Government inquiry) while the latter is the subject of a current fraud trial.

One could also add to the list the well-chronicled Maxwell pension scheme scandal of 1991-92.

From Ireland there could be the failures of Insurance Corporation of Ireland (1985) and Private Motorists’ Protection Association (1983).

While I sympathise with the desire to classify by nature of risk, I think some failure of management control tends to be a common element in most of these stories!